Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Jun 2010 12:23:30 GMT
From:      Dmitriy Demidov <dima_bsd@inbox.lv>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/147720: ipfw dynamic rules and fwd
Message-ID:  <201006091223.o59CNUql062418@www.freebsd.org>
Resent-Message-ID: <201006091230.o59CU4Ds039883@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         147720
>Category:       misc
>Synopsis:       ipfw dynamic rules and fwd
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 09 12:30:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dmitriy Demidov
>Release:        FreeBSD 7-STABLE
>Organization:
>Environment:
FreeBSD evo.local.home 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0: Sat Feb 20 22:57:09 EET 2010 root@evo.local.home:/usr/obj/usr/src/sys/STABLE i386
>Description:
There is one bug with ipfw keep-state rules and fwd action.

You are unable to make source based routing of incoming connections using this ruleset:

=======
# $ext_if1 - ISP1
# $gw1 - ISP1 GW
# $ext_if2 - ISP2
# $gw2 - ISP2 GW
# $int_if - internal net

ipfw add 100 skipto 300 tag 1 in recv $ext_if1 keep-state
ipfw add 200 skipto 300 tag 2 in recv $ext_if2 keep-state
ipfw add 300 allow { recv $ext_if1 or recv $ext_if2 }
ipfw add 400 allow in recv $int_if
ipfw add 500 fwd $gw1 tagged 1
ipfw add 600 fwd $gw2 tagged 2
=======


To make it working you should patch /sys/netinet/ipfw/ip_fw2.c with this:

====
(find this line)
if (!q || dyn_dir == MATCH_FORWARD)

(change it to this)
if (sa->sin_port && (!q || dyn_dir == MATCH_FORWARD))
====



This problem is presend in FreeBSD 9-CURRENT as well.


Can somebody please merge this patch to CURRENT?


Credits for this patch goes to Vadim Goncharov 
nuclight.livejournal.com/124348.html
>How-To-Repeat:
have FreeBSD host with two NIC's connected to different networks with different GW each. Applay ipfw rules from example provided. Start some service (SSH/Apache/etc). Make a try to connect to connect to service from network behing GW that is not configured as default gateway on FreeBSD host - answer will go via second NIC/default GW. keep-state ruleset do not works.
>Fix:
applay patch

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006091223.o59CNUql062418>